Java Form to PostgreSql triggering firewall

Django x2 · 18 Jun 2022 at 21:15

Possibly a bit too advanced for here, but has anyone any experience of HTML/JAVA forms that submit to a database (in this case PostgreSQL)? We're getting a lot of triggers on the WAF with OWASP policies applied. There's been some tuning, but still, simple free form text boxes get blocked, things like " UPDATE number to 07888554443"

It's clearly seeing it as SQLi but I mean come on, surely the WAF isn't that stupid?

peterwalkley · 19 Jun 2022 at 09:34

Not quite sure I understand your architecture, so sorry if these are stupid questions:

- Is your database port exposed to the internet and if so, are you using the out-of-box ports e.g. 3306 for mysql, 1521 for oracle ?
- Is the browser sending SQL commands to the server directly, or just form data ?

gpuerrilla · 19 Jun 2022 at 09:41

Also what is being used as the firewall?

throwaway4372 · 19 Jun 2022 at 09:47

Too vague, some thoughts:
- forms should submit to a script, not directly to a database, the script sorts out the details and saves data to the databases in a secure way.
- are you guessing or do you know it is identifying the reason for block as sql injection? If so, the exact query matters, a simple example isn't sufficient to diagnose.
- in this example I would expect a parameterised query which updates one row only. I wouldn't expect "number" to be a column name because it's a non-reserved keyword.

Django x2 · 20 Jun 2022 at 10:55

Hi guys, thanks for responses. This is all Azure based, a static web front end webapp which fires off Java to client side check and submit to the PostgreSql dB in Azure. This is behind a private endpoint, and a web application firewall.

The example above:

07555555555 update in your records please

Will trigger the WAF policy and stop the field being updated.